With the proliferation of the Internet and broadband networks, many Internet and e-commerce companies are dealing with the exchange of confidential information over the Internet. Examples of confidential information include credit card numbers, bank account numbers, social security numbers, birth dates, and highly personal and private medical records. Current digital certificates issued under the public key infrastructure (PKI) system use secure sockets layer (SSL) protocol to protect Internet communications in transit. Thus, many Internet companies are using firewalls and SSL as the standard means for protecting communication between their clients and their servers. While SSL protocol developed by Netscape Communications Corporation is capable of providing 128-bit length keys, the longer the key the stronger the encryption, the use of single and fixed key cryptography to encrypt such confidential information is vulnerable to current cyber attack methods. Also SSL protects data in transit only. Thus, recently publicized assaults were successful in quickly stealing thousands of credit card numbers and other confidential information from various web sites.
Typically, an e-commerce company attempts to protect its fixed encryption key and sensitive data by locating its servers in a physically secure room equipped with locked doors and surveillance cameras. However, hackers do not need physical access to server rooms in order to access data stored on a company's server. Hackers simply need legitimate Internet protocol (IP) access to the company's network. Even with the use of firewalls, this access can be gained through several hacking methods such as IP spoofing and network scanning. After a hacker gains access to the network, it simply requires some patience to obtain the fixed encryption key utilizing common cyber attacks and network scanners. Once the encryption key is obtained, hackers can decrypt most, if not all, of the information on the company's server including credit card numbers and other sensitive confidential information about the company's customers and employees.
From a medical patient's perspective, the consequences of unauthorized access to personal medical records are even greater. For a typical consumer, canceling and replacing credit cards is a relative minor inconvenience compared to the compromise and potential publication of sensitive medical information. Further, tampering with medical information is a potentially life threatening violation of privacy. Therefore, the protection of confidential information, especially medical records, requires a greater assurance that the customer's or patient's confidential information is secure.